RSA boss slams cyber-security scaremongers
Art Coviello criticises use of 'Cyber Pearl Harbor' phrase
RSA's executive president, Art Coviello yesterday criticised industry peers for their use of hyperbole as a means of marketing their products, the Register reported.
His remarks came during his keynote address that opened the 2013 RSA Conference.
"I absolutely hate the term 'Cyber Pearl Harbor'," he said. "I just think it's a poor metaphor to describe the state we are really in. What do I do differently once I've heard it? And I've been hearing it for 10 years now. To trigger a physically destructive event solely from the Internet might not be impossible, but it is still, as of today, highly unlikely."
Coviello noted the recent attacks against US banks as an example of how corporate reputations can suffer from cyber intrusion, leading to real economic impact. He said that the spread of fear, uncertainty and doubt (FUD) was causing some organisations to hesitate before formulating a coherent security strategy.
In the Gulf region, following last summer's attacks on Saudi Aramco and Ras Gas, many industry commentators have used extreme language to warn companies that they could be next, despite the demonstrable political nature of the attacks. In parallel however, other security specialists have used the GCC attacks to illustrate that traditional front-door prevention mechanisms such as firewall and anti-virus are not enough to protect organisations from cyber threats.
Earlier this month RSA, the security arm of EMC Corp, invited ITP.net to a roundtable in Dubai at which the company unveiled a security solution that placed emphasis on detection and response rather than prevention. A cloud-hosted analytics engine was demonstrated that worked in concert with localised network monitoring tools to collate packet and activity data. The purpose was to employ pattern-matching on network behaviour, as opposed to the classic signature-matching approach of anti-virus software, thereby identifying suspect network behaviour.
Scott Charney, VP of Microsoft's Trustworthy Computing Group, took Coviello's advice and adopted a lighter note in his RSA keynote, hailing the progress that had been made in battling cyber criminals.
"I'm an optimist," he said. "You can be an optimist because you're delusional or you can be an optimist for a reason. There is a case for optimism."
However, in a remark that suggested he had missed Coviello's opening remarks (or perhaps merely fallen asleep during the keynote), Michael Chertoff, a former US Secretary of Homeland Security, said we might be facing a "cyber 9/11".
80 days ago
So true, many organisations are certainly wary of defining a security strategy based on vendor input as many paint a glum picture. However, many also fail to perform a threat assessment on themselves and follow it up with a risk assessment to determine what their current situation is. Instead, they rely on vendors to tell them of the risks as part of the sales cycle and base their technical strategy on that. Overall management of information security is still severely lacking in most organisations with management requiring external vendors to give risk status updates which their internal staff are giving them through internal processes.
Until organisations go back to the foundations, they will be vulnerable to hype.